#!/bin/sh

# Copyright (C) 2014 Nikos Mavrogiannopoulos
#
# This file is part of GnuTLS.
#
# GnuTLS is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# GnuTLS is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with GnuTLS; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

#set -e

: ${srcdir=.}
: ${CERTTOOL=../../src/certtool${EXEEXT}}
: ${DIFF=diff -b -B}
OUTFILE=cert-pss-privkey.$$.tmp
TMPFILE=cert-pss.$$.tmp
TMPFILE2=cert2-pss.$$.tmp

if ! test -x "${CERTTOOL}"; then
	exit 77
fi

if ! test -z "${VALGRIND}"; then
	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
fi

# Create an RSA-PSS private key, restricted to the use with RSA-PSS
${VALGRIND} "${CERTTOOL}" --generate-privkey \
        --key-type rsa-pss --outfile "$OUTFILE"
rc=$?

if test "${rc}" != "0"; then
	echo "Could not generate an RSA-PSS key"
	exit 1
fi

# check whether description is present
grep 'modulus:' ${OUTFILE}
if test $? != 0;then
	cat ${OUTFILE}
	echo "PKCS#8 file does not contain modulus text"
	exit 1
fi

for i in sha256 sha384 sha512;do
if test "${GNUTLS_FORCE_FIPS_MODE}" = 1 && test "$i" != sha384;then
	continue
fi

# Create an RSA-PSS private key, restricted to the use with RSA-PSS
${VALGRIND} "${CERTTOOL}" --generate-privkey --pkcs8 --password '' \
        --key-type rsa-pss --hash $i --outfile "$OUTFILE"
rc=$?

if test "${rc}" != "0"; then
	echo "Could not generate an RSA-PSS key ($i)"
	exit 1
fi

${VALGRIND} "${CERTTOOL}" -k --password '' --infile "$OUTFILE" >/dev/null
rc=$?
if test "${rc}" != "0"; then
	echo "Could not read generated an RSA-PSS key ($i)"
	exit 1
fi

# Create an RSA-PSS certificate from an RSA-PSS private key
${VALGRIND} "${CERTTOOL}" --generate-self-signed \
	--pkcs8 --load-privkey "$OUTFILE" --password '' \
	--template "${srcdir}/templates/template-test.tmpl" \
	--outfile "${TMPFILE}" --hash $i
rc=$?

if test "${rc}" != "0"; then
	echo "Could not generate an RSA-PSS certificate from an RSA-PSS key ($i)"
	exit 1
fi

rm -f "${TMPFILE}"

# Create an RSA-PSS certificate from an RSA-PSS private key, with
# mismatched parameters
for j in sha256 sha384 sha512;do
${VALGRIND} "${CERTTOOL}" --generate-self-signed \
	--pkcs8 --load-privkey "$OUTFILE" --password '' \
	--template "${srcdir}/templates/template-test.tmpl" \
	--outfile "${TMPFILE}" --hash $j
rc=$?

if test "$j" != "$j" && "${rc}" = "0"; then
	echo "Unexpectedly succeeded to generate an RSA-PSS certificate ($j != $i)"
	exit 1
fi
done
rm -f "${TMPFILE}"

# Create an RSA-PSS certificate from an RSA key
${VALGRIND} "${CERTTOOL}" --generate-certificate --key-type rsa-pss \
	    --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" \
	    --load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
	    --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \
	    --template "${srcdir}/templates/template-test.tmpl" \
	    --outfile "${TMPFILE}" --hash $i
rc=$?

if test "${rc}" != "0"; then
	echo "Could not generate an RSA-PSS certificate $i"
	exit 1
fi

${CERTTOOL} -i --infile ${TMPFILE}|grep -i "Subject Public Key Algorithm: RSA-PSS"
if test $? != 0;then
	echo "Generated certificate is not RSA-PSS"
	cat ${TMPFILE}
	exit 1
fi

rm -f "${TMPFILE}"

# Create an RSA certificate from an RSA key, with wrong key-type, should fail
${VALGRIND} "${CERTTOOL}" --generate-certificate --key-type ecdsa \
	    --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" \
	    --load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
	    --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \
	    --template "${srcdir}/templates/template-test.tmpl" \
	    --outfile "${TMPFILE}"
rc=$?

if test "${rc}" = "0"; then
	echo "Succeeded with wrong key type"
	exit 1
fi

# Create an RSA certificate from an RSA key, and sign it with RSA-PSS
${VALGRIND} "${CERTTOOL}" --generate-certificate --rsa --sign-params rsa-pss \
	    --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" \
	    --load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
	    --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \
	    --template "${srcdir}/templates/template-test.tmpl" \
	    --outfile "${TMPFILE}" --hash $i
rc=$?

if test "${rc}" != "0"; then
	echo "Could not generate an RSA-PSS certificate"
	exit 1
fi

${CERTTOOL} -i --infile ${TMPFILE}|tr -d '\r' > ${TMPFILE2}
grep -i 'Subject Public Key Algorithm: RSA$' ${TMPFILE2} >/dev/null
if test $? != 0;then
	echo "Generated certificate is not RSA"
	cat ${TMPFILE}
	exit 1
fi

grep -i "Signature Algorithm: RSA-PSS" ${TMPFILE2} 
if test $? != 0;then
	echo "Generated certificate is not signed with RSA-PSS"
	cat ${TMPFILE}
	exit 1
fi

grep -i "Signature Algorithm: RSA-PSS-${i}" ${TMPFILE2} 
if test $? != 0;then
	echo "Generated certificate is not signed with RSA-PSS-${i}"
	cat ${TMPFILE}
	exit 1
fi

rm -f "${TMPFILE}"
rm -f "${TMPFILE2}"

done

# Convert an RSA-PSS key to an RSA key
#

${VALGRIND} "${CERTTOOL}" --to-rsa --infile "${srcdir}/data/key-rsa-pss.pem" --outfile ${TMPFILE}
rc=$?

if test "${rc}" != "0"; then
	echo "Could not convert an RSA-PSS certificate"
	exit 1
fi

${DIFF} "${srcdir}/data/key-rsa-pss-raw.pem" ${TMPFILE}
rc=$?

if test "${rc}" != "0"; then
	echo "RSA-PSS decoding failed"
	exit ${rc}
fi

echo "RSA-PSS to RSA conversion was successful"

rm -f "${TMPFILE}"

export TZ="UTC"

. ${srcdir}/../scripts/common.sh

skip_if_no_datefudge

datefudge "2012-11-22" \
${VALGRIND} "${CERTTOOL}" --verify --load-ca-certificate "${srcdir}/data/cert-rsa-pss.pem" --infile "${srcdir}/data/cert-rsa-pss.pem"
rc=$?

if test "${rc}" != "0"; then
	echo "There was an issue verifying the certificate"
	exit 1
fi

rm -f "${TMPFILE}"

exit 0
